CCA Blueprint: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
Line 57: | Line 57: | ||
== Domain 2: Scoping == | == Domain 2: Scoping == | ||
=== Task 1. Analyze the CMMC Assessment Scope of Controlled Unclassified Information (CUI) Assets as they pertain to a CMMC assessment using the five categories of CUI assets as defined in the CMMC Level 2 Assessment Scoping Guide. === | === Task 1. Analyze the CMMC Assessment Scope of Controlled Unclassified Information (CUI) Assets as they pertain to a CMMC assessment using the five categories of CUI assets as defined in the CMMC Level 2 Assessment Scoping Guide. === | ||
{|class="wikitable" | {|class="wikitable" style="width: 85%;" | ||
|- | |||
! style="width: 10%"|Lesson Topic | |||
! style="width: 10%"|Objective | |||
! style="width: 80%"|Objective Description | |||
|- | |||
|4B | |||
|2.1.1 | |||
|1. Categorization of CUI data in the form of Assets that are in scope: | |1. Categorization of CUI data in the form of Assets that are in scope: | ||
:A. #1: Controlled Unclassified Information (CUI) Assets | |- | ||
::(1) Process, store, or transmit CUI | |4B | ||
:B. #2: Security Protection Assets | |2.1.1.A | ||
::(1) Assets that provide security functions and capabilities to contractor’s CMMC Assessment Scope | |:A. #1: Controlled Unclassified Information (CUI) Assets | ||
:C. #3: Contractor Risked Managed Assets | |- | ||
::(1) Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place | |4B | ||
:D. #4: Specialized Assets | |2.1.1.A(1) | ||
::(1) Assets that may/may not process, store, or transmit CUI | |::(1) Process, store, or transmit CUI | ||
::(2) Assets include government property, Internet of Things (IoT) devices, Operational Technology (OT), Restricted Information Systems, and Test Equipment | |- | ||
:E. #5: Out-of-Scope Assets | |4B | ||
::(1) Assets that cannot process, store, or transmit CUI | |2.1.1.B | ||
|:B. #2: Security Protection Assets | |||
|- | |||
|4B | |||
|2.1.1.B(1) | |||
|::(1) Assets that provide security functions and capabilities to contractor’s CMMC Assessment Scope | |||
|- | |||
|4B | |||
|2.1.1.C | |||
|:C. #3: Contractor Risked Managed Assets | |||
|- | |||
|4B | |||
|2.1.1.C(1) | |||
|::(1) Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place | |||
|- | |||
|4B | |||
|2.1.1.D | |||
|:D. #4: Specialized Assets | |||
|- | |||
|4B | |||
|2.1.1.D(1) | |||
|::(1) Assets that may/may not process, store, or transmit CUI | |||
|- | |||
|4B | |||
|2.1.1.D(2) | |||
|::(2) Assets include government property, Internet of Things (IoT) devices, Operational Technology (OT), Restricted Information Systems, and Test Equipment | |||
|- | |||
|4B | |||
|2.1.1.E | |||
|:E. #5: Out-of-Scope Assets | |||
|- | |||
|4B | |||
|2.1.1.E(1) | |||
|::(1) Assets that cannot process, store, or transmit CUI | |||
|} | |} | ||
Revision as of 18:14, 8 May 2023
Source of Reference: The CCA blueprint document from Cybersecurity Maturity Model Certification Accreditation Body, Inc.
For inquiries and reporting errors on this wiki, please contact us. Thank you.
Domains
Upon successful completion of this exam, the candidate will be able to apply skills and knowledge to the below domains:
Domain | Exam Weight |
1. Evaluating Organizations Seeking Certification (OSC) against CMMC Level 2 requirement | 15% |
2. CMMC Level 2 Assessment Scoping | 20% |
3. CMMC Assessment Process (CAP) | 25% |
4. Assessing CMMC Level 2 Practices | 40% |
Domain 1: Evaluating Organizations Seeking Certification (OSC) against CMMC Level 2 requirements
Task 1. Assess the various environmental considerations of Organizations Seeking Certification (OSCs) against CMMC L2 practices.
Lesson Topic | Objective | Objective Description |
---|---|---|
4C | 1.1.1 | # The difference between logical (virtual) and physical locations |
4C | 1.1.2 | # The difference between professional and industrial environments |
4C | 1.1.3 | # Single and multi-site environmental constraints and Evidence requirements |
4C | 1.1.4 | # Cloud and hybrid environment constraints and Evidence requirements |
4C | 1.1.5 | # On-premises environmental constraints |
4C | 1.1.6 | # Environmental exclusions for a level 2 CMMC assessment |
Domain 2: Scoping
Task 1. Analyze the CMMC Assessment Scope of Controlled Unclassified Information (CUI) Assets as they pertain to a CMMC assessment using the five categories of CUI assets as defined in the CMMC Level 2 Assessment Scoping Guide.
Lesson Topic | Objective | Objective Description |
---|---|---|
4B | 2.1.1 | 1. Categorization of CUI data in the form of Assets that are in scope: |
4B | 2.1.1.A | :A. #1: Controlled Unclassified Information (CUI) Assets |
4B | 2.1.1.A(1) | ::(1) Process, store, or transmit CUI |
4B | 2.1.1.B | :B. #2: Security Protection Assets |
4B | 2.1.1.B(1) | ::(1) Assets that provide security functions and capabilities to contractor’s CMMC Assessment Scope |
4B | 2.1.1.C | :C. #3: Contractor Risked Managed Assets |
4B | 2.1.1.C(1) | ::(1) Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place |
4B | 2.1.1.D | :D. #4: Specialized Assets |
4B | 2.1.1.D(1) | ::(1) Assets that may/may not process, store, or transmit CUI |
4B | 2.1.1.D(2) | ::(2) Assets include government property, Internet of Things (IoT) devices, Operational Technology (OT), Restricted Information Systems, and Test Equipment |
4B | 2.1.1.E | :E. #5: Out-of-Scope Assets |
4B | 2.1.1.E(1) | ::(1) Assets that cannot process, store, or transmit CUI |
Task 2. Given a scenario, analyze the CMMC Assessment Scope based on the predetermined CUI categories within the CMMC Level 2 Assessment Scoping Guide.
1. CMMC assessment asset categories (In-scope)
|
2. CMMC assessment asset categories (Out-of-scope) |
3. Separation Techniques
|
Task 3. Evaluate CMMC assessment scope considerations based on the CMMC Level 2 Assessment Scoping Guide.
1. FCI and CUI within the same Assessment Scope:
|
2. FCI and CUI NOT within the same Assessment Scope:
|
3. External Services Providers
|
Domain 3: CMMC Assessment Process (CAP) v5.X
Task 1. Given a scenario, apply the appropriate phases and steps to plan, prepare, conduct, and report on a CMMC Level 2 Assessment.
1. Phase 1—Plan and Prepare Assessments:
|
2. Phase 2—Conduct assessment:
|
3. Phase 3—Report recommended assessment results:
|
Domain 4: CMMC Levels 2 Practices
Task 1. Identify evidence verification/validation methods and objects for Practices based on the CMMC Level 2 Assessment Guide and CMMC Assessment Process (CAP) documentation.
1. Methods and objects for determining evidence
|
2. Adequacy and sufficiency related to evidence around all below practices
|
3. CMMC Level 2 Assessment Practice objectives including potential methods, objects, and assessment considerations (by domain):
(at a minimum the practices listed below must be evaluated for CCA candidates) |
A. Access Control (AC)
|
B. Awareness & Training (AT)
|
C. Audit & Accountability (AU)
|
D. Configuration Management (CM)
|
E. Identification & Authentication (IA)
|
F. Incident Response (IR)
|
G. Maintenance (MA)
|
H. Media Protection (MP)
|
I. Personnel Security (PS)
|
J. Physical Protection (PE)
|
K. Risk Assessment (RA)
|
L. Security Assessment (CA)
|
M. System & Communications Protection (SC)
|
N. System & Information Integrity (SI)
|